“How should we adapt our cybersecurity controls to address the new WFH reality?” This question is top-of-mind for CIOs and security executives. When it comes to cybersecurity in the post-COVID era, every CIO needs an answer to three key questions:
- What are the changes in usage patterns and architecture in my IT environment?
- How do these changes affect risk?
- What changes do I need to make to my cybersecurity posture and control environment?
Changes in usage patterns and architecture
For many organizations, working from home (WFH) was uncommon, especially for traditional office workers in horizontal business functions like finance, human resources, marketing, and so on. In addition, they are used to going to someone’s desk when they need something. This affects usage in two ways: remote access is now critical for many employees, and communication and collaboration solutions are essential for many employees’ effectiveness at work.
Of particular importance are the most sensitive applications that often run on-premises on separate networks. This poses a problem not only for protection needs, but also for compliance with global and industry regulations.
How the risks change
Risk is a function of the probability that some bad event will occur and its impact on the organization. In cybersecurity, the probability is affected by the activities of the attackers and the vulnerability of the IT environment within the context of the normal, legitimate use of the systems. The impact involves the extent to which an attack affects confidentiality, integrity, availability, productivity, and/or propriety. To understand the effect of COVID-19 use and architecture changes, we have to understand the threats, vulnerabilities, and impact that come with these changes.
As with any widespread event like holidays, sporting events, or natural disasters, during the pandemic, we’ve seen increased hacker activity, with spam and phishing attacks on the rise. In addition, new methods are sometimes employed to commit fraud or otherwise harm organizations due to changes in use. For example, once Zoom became widely used for meetings, hacker “Zoom bombing” became a foregone conclusion.
Of higher risk would be a renewed focus on home networks as WFH becomes a new reality for many, and as road warriors take their activities and common practices from wi-fi hotspots to their home environments. While laptops are often hardened well for these scenarios, home networks have not been significant targets in the past and may need more attention.
On the vulnerability side, server and application resources are likely to have an increased attack surface, simply due to IT environments extending network connectivity into homes; this potentially exposes new vulnerabilities of laptops, home networks, and applications across more components (think network stops, or “hops”). Companies that are already used to anytime-anywhere computing know how to deal with these environments, but the new usage patterns and architectures are significant changes for others. With the interconnectedness of organizations and business partners, it may be useful to recognize that those partners, say in a supply chain, are experiencing similar challenges: as a result, the entire connected environment bears increased risk. In this scenario, there may be 3rd, 4th or even 5th parties involved in the activity.
Finally, COVID-19 brings along with it a whole new level of reliance on communication and collaboration applications that may not have existed previously. This is perhaps the most challenging notion to remember about risk – even if nothing had changed technically (which isn’t true here), the impact can increase, and that is a likely scenario as enterprises work to stay afloat in these challenging times. Impact is also felt on technical support due to the distributed nature of the resources. Any sort of triage or malware infection, etc. will have an increased impact simply due to the additional logistics efforts required to address the problem.
Effect on the cybersecurity control environment
Historically, IT environments have been protected from the “bottom-up” by addressing the physical location (usually a data center), the network, and the servers/hosts. Economies of scale could be gained in physical security through putting all computing equipment into the same room (data centers, wiring closets, etc.), and in network security by putting all the equipment on the same physical network and using firewalls for separation. These economies of scale have been extended through the use of site-to-site VPNs, web security gateways, and other solutions.
Though there are fewer economies of scale, endpoint security has been augmented through the years, and enterprise-owned laptops nowadays have fairly strong security. Smartphones, tablets, and employee-owned laptops are another story, however. Some organizations have built out a security program that is all-inclusive while others are still based on an expectation of full asset ownership, on-premises. Of course, many other factors have changed through the years, with distributed computing, the internet, virtualization, cloud, and software-defined everything. Yet many of the same principles have applied. COVID-19 will change all that.
Within a day after the first stay-at-home order, the effect of COVID-19 was obvious. The first big hurdle for many organizations was ensuring users could access the necessary applications securely from home. Of course, VPNs are the first line of defense and are extremely common, but the need to address performance and administration became paramount. Changing network security access restrictions and rules has been a huge burden for some.
Yet others are just a bit further along the innovation curve and have had no significant problems at all. These are companies often modeling Google’s BeyondCorp architecture or some other zero trust capabilities to introduce dynamic rules assigned to users and applications that change when the location changes. They have deployed multifactor authentication throughout their environment. They have effectively moved security up that stack to focus on users, data, and applications regardless of what devices or networks are typically used or where they are stored.
Cybersecurity professionals have long been aware of the need for more robust controls to protect the increasingly complex computing environments. For some programs where the engineering and integration work have already been done, this may be a good time to consider a slow rollout to a new architecture.
Other programs that are behind the curve, however, must be even more conservative. The line between balancing the risk of future attack with the downside of potential false positives that impede the productivity of legitimate users has never been finer. Now is not the time for productivity disruption in the name of enhanced security. That doesn’t mean ignore it; it means be very, very careful.
Your 10-point long-term WFH to-do list
The advice below assumes that the fires associated with triaging the existing control environment have all been put out and the environment is at least temporarily stable.
In the next six months
- Automate, automate, automate – look for ways to ensure patching, password resets, change control, incident management, and other manual processes are automated wherever and whenever possible.
- Deploy multifactor authentication everywhere – one lesson that should be apparent to anyone is that you can’t rely on passwords for anything, even inside an organization. Though not a silver bullet, multifactor may be the closest thing to a magical elixir cure-all that can reduce risk everywhere.
- Develop a BYOD plan, even if you normally don’t allow BYOD – ensure you have a way for unmanaged devices to access organization resources without compromising on protection. This includes paying attention to home network security.
- Review your data governance policy and program – ensure that owners are identified and any policy issues associated with the content are addressed, such as jurisdictional issues with cloud environments.
- Upgrade the 3rd/4th-party compliance program – create a program of continuous compliance that does not require site visits. Rely on 3rd party audits, continuous reporting of activity and controls, and robust architecture for protection.
- Assess the need for location- or asset-oriented controls – work to eliminate the need for applications to run on a certain device or be in a certain location or on a certain network in order to provide protection.
Within 18 months
- Create a virtual SOC – either through an MSSP or leveraging SaaS solutions, build out a SOC for anytime, anywhere monitoring.
- Separate application and data from network and device security – ensure that applications and data are protected when accessed from any device on any network path.
- Implement a Cloud Security Gateway and/or Environment – create a cloud-based environment to route any/all network traffic through to apply applicable security protection.
- Develop a Distributed Integrity architecture – incorporate encryption and integrity into data and applications.